Managing Keystores, Wallets, and Certificates 8-21 Every time a password-protected wallet is created, an auto-login wallet is automatically generated. However, this auto-login wallet is different from the user-created auto-login wallet described in the previous bullet. While the user-created wallet can even be updated at configuration time without a password, an automatically generated auto-login wallet is a read-only wallet that does not allow direct updates. Modifications to the wallet must occur through the password protected file by providing a password, at which time the auto-login wallet is regenerated. The purpose of this system-generated auto-login wallet is to provide PKI-based access to services and applications without requiring a password at runtime, while still requiring a password at configuration time.

8.4.1.2 Self-Signed and Third-Party Wallets

Self-signed wallets contain certificates for which the issuer is the same as the subject. These wallets are typically created for use within an intranet environment where trust is not a high priority. Each self-signed wallet has its own unique issuer; hence, in an environment with multiple components and wallets, the trust management tasks increase n-fold. When created through Fusion Middleware Control, a self-signed wallet is valid for five years. Third-party wallets contain certificates that are issued by well known CAs. The functionality and security remain the same as for self-signed wallets, but the use of third-party certificates provides added trust because the issuers are well known, so they are already trusted by most clients. Difference Between Self-Signed and Third-Party Wallets From a functional and security perspective, a self-signed certificate is comparable to one issued by a third party. The only difference is that a self-signed certificate is not trusted.

8.4.1.3 Sharing Wallets Across Instances

Oracle recommends that you do not share wallets between component instances or Oracle instances, since each wallet represents a unique identity. The exception to this is an environment with a cluster of component instances, in which case wallet sharing would be an acceptable practice. Note that no management tools or interfaces are available to facilitate wallet sharing. However, you can export a wallet from one instance and import it into another instance.

8.4.1.4 Wallet Naming Conventions

Follow these naming conventions for your Oracle wallets: ■ Do not use a name longer than 256 characters. ■ Do not use any of the following characters in a wallet name: | ; , \ ` ~ { } [ ] = + space tab Note: Observe this rule even your operating system supports the character.